Five years ago, thousands of computers and industrial control systems in more than 60 countries were paralysed by the ‘NotPetya’ malware attack. Originally targeted at infrastructure and organisations in Ukraine, the virus caused chaos at hundreds of companies worldwide. Many were forced to close down their operations entirely.
The incident illustrated the rising scope and scale of cyber threats – and also businesses’ increasing vulnerability to them, as more and more equipment and devices become connected to the internet. It also underlined something else: digital connectivity’s increasingly pivotal role in keeping companies’ core operations running.
Amid today’s ever-advancing digitalisation, the reality is that high-quality, resilient technology and infrastructure are vital for any private and family business to thrive and grow. When considering whether these are available in a territory, there are various tools and strategies in the marketplace that companies can apply. But one valuable resource that we believe helps to cut through the noise is PwC’s Europe, Middle-East and Africa (EMEA) Private Business Heatmap.
The Heatmap enables private and family business decision-makers to gain a bird's-eye view of what matters most to them. It includes metrics on areas like broadband access, internet usage and mobile connectivity as key inputs – alongside others ranging from tax rates to political stability to CO2 emissions per capita.
Cyber is rising up the private business agenda…
The importance of the metrics around digital infrastructure is growing rapidly, as three specific trends play out that are making cyber increasingly relevant to private and family businesses.
First, digitisation and cloud adoption – which are creating major opportunities but also opening up new risks. In general, private businesses tend to be small and medium-sized enterprises (SMEs) lacking the huge budgets of multinationals. This often means they haven’t been set up to operate in a digitally secure way and have only limited resources to manage cyber risks. Yet, as ‘NotPetya’ underlined, they face the same cyber threats as bigger organisations – albeit as collateral victims.
With cloud, the good news is that cloud platforms can be much more secure than the on-premise systems they replace, with much of the responsibility for security residing with the cloud provider. This means even the smallest private business can benefit from the huge investments in cybersecurity being made by the global hyperscalers. But to realise these benefits in full, it’s vital to ensure the cloud sourcing agreement is set up properly by the company consuming the services.
The second trend that’s boosting the relevance of cyber is a shift towards focusing more attention on operational technology (OT) as opposed to only information technology (IT). OT includes a wide array of devices and machines ranging from industrial control systems in factories to operational processing systems, and from transportation and logistics systems to other critical infrastructure.
While OT has always been subject to cyber risks, it has historically not been a major focus for security efforts. But this is changing fast. Cyber threats to OT are escalating rapidly, as advances including rising factory automation, digitisation of logistics and increasing internet connectivity make these operational systems ever more exposed to attack.
Not surprisingly, cyber criminals have identified this expanding area of vulnerability, and are increasingly targeting OT. To help companies respond to these growing threats and learn about effective defence strategies, PwC Germany recently set up a new OT-focused Cyber Security Experience Centre in Frankfurt.
The third trend that’s making cyber more important for private and family businesses is the overall increased threat environment. Rising geopolitical tensions – not least the war in Ukraine – are driving the risk of suffering a cyberattack ever higher, particularly for organisations involved in sectors like energy, transportation, defence or critical infrastructure. But the indiscriminate and contagious nature of cyberattacks means every organisation needs to be on the alert, and ready to cope with a dramatic escalation at any time.
...but, more positively, help is readily available
However, while cyber threats may be growing, the upside is that there are plenty of solutions and approaches available for private and family businesses to protect themselves more effectively.
What steps should you take? First, if you haven’t done so already, the most important action is to implement basic “cyber hygiene”. This includes ensuring things like antivirus software, endpoint detection and response (EDR) and security patches are in place and up-to-date. Getting cyber hygiene right requires a full view of your IT and OT estate: we’ve often found that companies have overlooked some of their systems, leaving dangerous gaps in their antivirus and EDR coverage that put them at higher risk of breaches.
For companies looking to put the basics in place, there are some very useful guides available on the internet, from both the public and private sectors. As PwC’s EPB Heatmap underlines, countries gain major economic and social benefits from having a thriving private business sector. To help realise this opportunity, many governments have launched initiatives to raise awareness of cybersecurity and provide smaller and entrepreneurial organisations with guidance on leading practices.
By way of example, take the UK – where the help on offer includes a bulletin from the National Cyber Security Centre containing 11 action steps to take at a time of heightened risk, and the Cyber Essentials programme, a Government-backed, industry-supported scheme to help SMEs protect themselves online. The European Union also offers guidance, such as a paper on Cybersecurity mitigation measures against critical threats. Meanwhile, useful information from the private sector includes PwC's Cybersecurity and geopolitical conflicts website, and our guide to managing cyber risks in the supply chain, drawing on our 2022 Global Digital Trust Insights Survey.
Help with cyber security is also available from the global cloud service providers (CSPs). There are well established ‘shared responsibility’ models for cloud solutions, and it’s important that businesses understand the role they need to play in this shared responsibility. The CSP commits to handle the security and resilience of the cloud platform itself, while the customer – the business using the cloud platform – is responsible for how it takes the services and configures them. Understanding and acting on this shared responsibility model are vital for reaping the full security benefits that the cloud offers
At the same time, if you use a cybersecurity service provider, you need to ensure it has the necessary capabilities. For example, if you ask your provider to turn up the sensitivity of its monitoring to reflect higher threats, can it do that cost-effectively? Another smart move is to dust off and test out your incident response and crisis management plans. And do you have a retainer in place for specialist help 24x7 if an incident occurs? Knowing who to call first is crucial to an effective response.
Finally, if you do business with larger corporations, taking action to secure your systems may well not be an option, but an imperative. We’re increasingly seeing big businesses cascade to higher security standards – usually based on ISO27001 (International Organisation for Standardisation) or the United States’ National Institute of Standards and Technology (US NIST) – down their supply chains, and cease doing business with any smaller suppliers that fail to comply. So if you fail to raise your game in cybersecurity, you won’t just face higher risks, but could be frozen out by your biggest customers.
Cyber security is key to the future of your private or family business – and while the risks are growing, there’s plenty of help in hand. If you'd like to discuss anything in this blog, please get in touch. We’ll be delighted to hear from you.
Contact us
